Bugzilla – Bug 1059075
-fstack-clash-protection writes beyond array bounds
Last modified: 2018-05-01 22:35:28 UTC
When allocating a zero-length array with alloca or as a VLA the code produced by -fstack-clash-protection accesses the array beyond bounds. The failure can best be seen on armv7 (or targets without their own probe_stack insn) where a stack probe is destructive, and where it breaks glibc. https://build.opensuse.org/package/live_build_log/Base:System/glibc/openSUSE_Factory_ARM/armv7l
The C standard says that VLA shall not have zero size, but a size of 1 is valid, and the default probe_stack expansion writes to a MEM of word_mode.
So we have to surround the code generated by the final + if (flag_stack_clash_protection) + emit_stack_probe (target); with a compare against zero and jump. SLE is affected as well.
(In reply to Andreas Schwab from comment #1) > The C standard says that VLA shall not have zero size, but a size of 1 is > valid, and the default probe_stack expansion writes to a MEM of word_mode. So the question is whether we at least align the allocation to word_mode which I doubt.
GCC supports zero length arrays, but it is unclear if it also supports zero length VLA.
ldconfig on aarch64 is also affected.
Hmpf. Indeed, some hardening is in order, aligning the size to wordmode and checking for zeroness. I'm going to work on that, but the labs conf interferes a small bit.
The generated code for probing "char zero[pad]": mov r6, sp add r3, r3, #7 bic r3, r3, #7 cmp r3, #4096 bcc .L128 .L186: sub r3, r3, #4096 sub sp, sp, #4096 cmp r3, #4096 str r0, [sp, #8] bcs .L186 .L128: ldr r7, [fp, #-56] sub sp, sp, r3 mov r1, #0 add r3, sp, #8 mov r0, r3 str r0, [sp, #8] The offset of #8 means that it overwrites a nearby variable.
For "char *dir = strdupa (aux_cache_name);" it generates an insn with unpredictable behavior: mov r0, r5 bl strlen(PLT) add r3, r0, #15 add r2, r0, #1 bic r3, r3, #7 cmp r3, #4096 bcc .L281 .L320: sub r3, r3, #4096 sub sp, sp, #4096 cmp r3, #4096 str r0, [sp] bcs .L320 .L281: sub sp, sp, r3 ldr r1, [fp, #-172] mov r0, sp str r0, [r0], #7 <====== bic r0, r0, #7 bl memcpy(PLT) cache.s:2116: Warning: source register same as write-back base
The latter is filed as PR82248.
On aarch64 this overwrites the saved frame pointer (register x29). 0x0000000000403ad8 <+1008>: ldr x0, [x29, #144] 0x0000000000403adc <+1012>: mov x22, sp 0x0000000000403ae0 <+1016>: add x0, x0, #0xf 0x0000000000403ae4 <+1020>: and x0, x0, #0xfffffffffffffff0 0x0000000000403ae8 <+1024>: cmp x0, #0x1, lsl #12 0x0000000000403aec <+1028>: b.cc 0x403b04 <save_cache+1052> // b.lo, b.ul, b.last 0x0000000000403af0 <+1032>: sub sp, sp, #0x1, lsl #12 0x0000000000403af4 <+1036>: sub x0, x0, #0x1, lsl #12 0x0000000000403af8 <+1040>: cmp x0, #0x1, lsl #12 0x0000000000403afc <+1044>: str xzr, [sp] 0x0000000000403b00 <+1048>: b.cs 0x403af0 <save_cache+1032> // b.hs, b.nlast 0x0000000000403b04 <+1052>: sub sp, sp, x0 0x0000000000403b08 <+1056>: ldr x23, [x29, #144] 0x0000000000403b0c <+1060>: mov w1, #0x0 // #0 0x0000000000403b10 <+1064>: mov x0, sp 0x0000000000403b14 <+1068>: mov x2, x23 => 0x0000000000403b18 <+1072>: str xzr, [sp]
so both arm 32 and 64bit are currently broken regardng that option?
It is unknown whether other architectures are affected.
As one data point: I was comparing the testresults (GCC testsuite) of all SLE11 architectures on gcc43 with this patch, they were clean. So either the testsuite doesn't contain a problematic alloca, or only aarch64 is affected. Are we caring for arm 32 bit?
Most likely none of them is testing zero-size VLA.
Meh, I missed to press "Save changes" yesterday night for this comments I wanted to add: (meanwhile the packages built through) Try with the current compiler(s) in devel:gcc. I've touched only gcc43, gcc48 and gcc7, and I've only cared for the problem with zero length for VLAs and alloca. I.e. I haven't touched the PR82248 problem yet. I've glanced at armv7l and aarch64 code generated for some of the constructs and it seems to look good, but I'm not waiting for the testsuite to run through right now (should be ready by tomorrow). I've decided to do only minimal surgery on the patch, so now the code looks like: size = align1(size); if (size != 0) { while (size >= 4096) { size -= 4096; SP -= 4096; *SP = XXX; } SP -= size; SP = align2(SP); *SP = XXX; } The various aligns in there are pre-existing. They just weren't effective, because zero is already aligned to everything. So the word-sized writes are okay, but only after checking if anything was allocated at all.
My home:matz2:clash-check project made enough progress on armv7l and aarch64 that I think I've fixed the problem, so gcc7 is submitted as SR #528941 now.
Is this now better?
Looks so.
SUSE-RU-2018:0014-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1059075 CVE References: Sources used: SUSE OpenStack Cloud 6 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Workstation Extension 12-SP2 (src): libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): gcc48-4.8.5-31.6.1, libffi48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): gcc48-4.8.5-31.6.1, libffi48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-SP3 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-SP2 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-LTSS (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Desktop 12-SP3 (src): gcc48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Desktop 12-SP2 (src): gcc48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1
SUSE-SU-2018:0053-1: An update that solves 29 vulnerabilities and has 57 fixes is now available. Category: security (moderate) Bug References: 1003846,1004995,1009966,1022404,1025282,1025891,1026567,1029907,1029908,1029909,1029995,1030623,1035386,1036619,1039099,1039276,1039513,1040800,1040968,1041090,1043059,1043590,1043883,1043966,1044016,1045472,1045522,1045732,1047178,1047233,1048605,1048861,1050152,1050258,1050487,1052503,1052507,1052509,1052511,1052514,1052518,1053137,1053347,1053595,1053671,1055446,1055641,1055825,1056058,1056312,1056381,1057007,1057139,1057144,1057149,1057188,1057634,1057721,1057724,1058480,1058695,1058783,1059050,1059065,1059075,1059292,1059723,1060599,1060621,1061241,1061384,1062561,1063249,1063269,1064571,1064999,1065363,1066242,1066371,1066500,1066611,1067891,1070878,1070958,1071905,1071906 CVE References: CVE-2014-3710,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-12837,CVE-2017-12883,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2017-6512 Sources used: SUSE CaaS Platform ALL (src): sles12-caasp-dex-image-2.0.0-3.3.11, sles12-dnsmasq-nanny-image-2.0.1-2.3.15, sles12-haproxy-image-2.0.1-2.3.16, sles12-kubedns-image-2.0.1-2.3.11, sles12-mariadb-image-2.0.1-2.3.15, sles12-openldap-image-2.0.0-2.3.11, sles12-pause-image-2.0.1-2.3.9, sles12-pv-recycler-node-image-2.0.1-2.3.10, sles12-salt-api-image-2.0.1-2.3.10, sles12-salt-master-image-2.0.1-2.3.10, sles12-salt-minion-image-2.0.1-2.3.14, sles12-sidecar-image-2.0.1-2.3.11, sles12-tiller-image-2.0.0-2.3.11, sles12-velum-image-2.0.1-2.3.13
openSUSE-RU-2018:0070-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1059075 CVE References: Sources used: openSUSE Leap 42.3 (src): cross-aarch64-gcc48-icecream-backend-4.8.5-29.2, cross-armv6hl-gcc48-icecream-backend-4.8.5-29.2, cross-armv7hl-gcc48-icecream-backend-4.8.5-29.2, cross-i386-gcc48-icecream-backend-4.8.5-29.2, cross-ia64-gcc48-icecream-backend-4.8.5-29.2, cross-ppc-gcc48-icecream-backend-4.8.5-29.2, cross-ppc64-gcc48-icecream-backend-4.8.5-29.2, cross-ppc64le-gcc48-icecream-backend-4.8.5-29.2, cross-s390-gcc48-icecream-backend-4.8.5-29.2, cross-s390x-gcc48-icecream-backend-4.8.5-29.2, gcc48-4.8.5-29.1, gcc48-testresults-4.8.5-29.2, libffi48-4.8.5-29.1, libgcj48-4.8.5-29.1 openSUSE Leap 42.2 (src): cross-aarch64-gcc48-icecream-backend-4.8.5-23.6.2, cross-armv6hl-gcc48-icecream-backend-4.8.5-23.6.2, cross-armv7hl-gcc48-icecream-backend-4.8.5-23.6.2, cross-i386-gcc48-icecream-backend-4.8.5-23.6.2, cross-ia64-gcc48-icecream-backend-4.8.5-23.6.2, cross-ppc-gcc48-icecream-backend-4.8.5-23.6.2, cross-ppc64-gcc48-icecream-backend-4.8.5-23.6.2, cross-ppc64le-gcc48-icecream-backend-4.8.5-23.6.2, cross-s390-gcc48-icecream-backend-4.8.5-23.6.2, cross-s390x-gcc48-icecream-backend-4.8.5-23.6.2, gcc48-4.8.5-23.6.1, gcc48-testresults-4.8.5-23.6.2, libffi48-4.8.5-23.6.1, libgcj48-4.8.5-23.6.1
SUSE-SU-2018:0300-1: An update that solves one vulnerability and has 7 fixes is now available. Category: security (moderate) Bug References: 1039513,1044016,1045091,1059075,1074621,938159,977654,999596 CVE References: CVE-2017-1000376 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Server 11-SP4 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): gcc43-4.3.4_20091019-37.3.1
SUSE-RU-2018:0820-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1059075,1074621 CVE References: Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gcc48-4.8.5-5.6.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gcc48-4.8.5-5.6.2
SUSE-RU-2018:1117-1: An update that has three recommended fixes can now be installed. Category: recommended (low) Bug References: 1039513,1059075,1074621 CVE References: Sources used: SUSE Studio Onsite Runner 1.3 (src): libffi43-4.3.4_20091019-24.5.1 SUSE Studio Onsite 1.3 (src): gcc43-4.3.4_20091019-24.5.1, libffi43-4.3.4_20091019-24.5.1